From z/OS ROSCOE for ACF2 STIG
Part of ZB000020
Associated with IA controls: ECCD-2, ECCD-1
ROSCOE can run with sensitive system privileges, and potentially can circumvent system controls. Failure to properly control access to program product resources could result in the compromise of the operating system environment, and compromise the confidentiality of customer data. Many utilities assign resource controls that can be granted to system programmers only in greater than read authority. Resources are also granted to certain non sytems personnel with read only authority.
a) Refer to the following report produced by the ACP Data Collection and Data Set and Resource Data Collection: - SENSITVE.RPT(ZROS0020) - ACF2CMDS.RPT(RESOURCE) – Alternate report Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZROS0020) b) Review the following items for the ROSCOE resource class, TYPE(ROS): 1) The ACP rules for the ROSCOE resource specify a default access of NONE. 2) If ACP rules to ROSCOE resources defined in the CA ROSCOE Resources table, in the z/OS STIG Addendum, is restricted to the appropriate personnel. 3) The ACP rules are logged as indicated in the CA ROSCOE Resources table, in the z/OS STIG Addendum. c) If any item in (b) is untrue, this is a FINDING. d) If all items in (b) are true, this is NOT A FINDING.
The systems programmer will work with the IAO to verify that the following are properly specified in the ACP 1) The ROSCOE Resources are properly defined and proper access is restricted according to the CA ROSCOE Resources table, in the z/OS STIG Addendum. 2) Verify that logging is specified according to the CA ROSCOE Resources table, in the z/OS STIG Addendum The systems programmer will see that the questionaire member for this product vulnerability contains the resouces, authorized users access levels and logging requirements, based on the sites requirements. Example: $KEY(ROSCMD) TYPE(ROS) MONITOR.CON UID(syspaudt) ALLOW MONITOR.CON UID(operaudt) ALLOW MONITOR.DIS UID(syspaudt) ALLOW MONITOR.PUR UID(syspaudt) LOG PRIV UID(syspaudt) LOG PRIV.ROSLIB UID(syspaudt) LOG PRIV.ROSLIB UID(secaaudt) LOG PRIV.ROSLIB UID(secdaudt) LOG - UID(syspaudt) LOG - UID(*) PREVENT
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer